fix: beta/google-cloud-run use a service account with minimal permiss… #361
Conversation
|
Hey @RichardoC! Thanks for this (pretty freakin' sweet) PR, and for taking the time to include accompanying documentation changes and the linked reference. 😍 This is indeed good guidance corroborated as a best practice in other Google Cloud documentation12 and following principle of least privilege. I have to review the changes and add some for customers that use SCIM bridge with Google Workspace as their identity provider. That case adds some potential complexity: because a SCIM client application is not available for Workspace, our bespoke provisioning integration always requires a Google Cloud service account key for this purpose. 🙃 Not getting that bit tangled up was one honest reason for using the default Compute Engine service account instead of a dedicated service account in the first place. In any case, I'll be able to have a more thorough look at this next week and hopefully merge it shortly after. Thanks again! 💙 Footnotes |
…ions
Google recommend not using this service account as it's has more permissions than are typically required [1]
This PR updates the cloud run setup to use a dedicated service account, and then only grant the required permissions to it instead.